Ireland’s data protection authority on Wednesday said it has started investigating whether Facebook had “appropriate technical and organizational measures” in place to protect its users’ personal data. While not the first European probe into Facebook, it’s the first under the EU’s new data rules, which could lead to fines of as much as 4 percent of a company’s annual sales.

Facebook informed the Irish authority “that their internal investigation is continuing and that the company continues to take remedial actions to mitigate the potential risk to users,” the regulator said in a tweet, as it announced its probe. Facebook said in a statement that it’s in close contact with the regulator and “will continue to cooperate with their investigation.”

The breach adds more pressure to the U.S. social media giant, which is still reeling from the separate scandal this year stemming from the revelation that data belonging to as many as 87 million Facebook users and their friends may have been misused by a political consultancy that helped get President Donald Trump elected. That breach was called a game changer as it happened shortly before the EU’s new law, called General Data Protection Regulation, took effect across the 28-nation bloc on May 25.

GDPR, or Why Privacy Is Now Stronger in EU Than U.S.: QuickTake

EU Justice Commissioner Vera Jourova, who pushed through GDPR, tweeted on Wednesday that she had spoken to the Irish privacy commissioner, Helen Dixon, to welcome the probe and “my full support in getting to the bottom of this story.”

Jourova told reporters in Luxembourg on Tuesday that the latest Facebook breach is the “first big test case” for GDPR. Under the rules, the Irish regulator is taking the lead in the EU because Facebook has its European base in the country.

Regulators under the old regime lacked the teeth they needed to levy fines that could really bite. The U.K. watchdog, which has been probing the Cambridge Analytica scandal, said in July Facebook could face a fine of as 500,000 pounds ($647,000) over its failures to prevent a breach. That’s the maximum penalty the regulator could levy before, and this still applies for any violations that happened before GDPR took effect on May 25.

The U.S. Federal Trade Commission’s chairman has signaled that his staff is also looking into the recent breach. DM